using interpolation for the verification of security protocols · marco rocchetto, luca vigan o,...

Using Interpolationfor the

Verification of Security Protocols

Marco Rocchetto, Luca Vigano, Marco Volpe

REGIS: REsearch Group in Information SecurityDepartment of Computer Science

Universita di Verona, Italy

Department of InformaticsKing’s College London, UK

iPRA, July 18, 2014

Rocchetto, Vigano, Volpe Interpolation for Security Protocols iPRA, July 18, 2014 1 / 37

The idea

Outline

1 The idea

2 SPiMMethod descriptionExample

3 SPiM Java prototype

4 Future work

The idea

The idea behind SPiM

Interpolation

Successfully applied in formal methods for model checkingand test-case generation for sequential programs

Security protocols

Unsuitable to the direct application of such methods:

• sequential programs only • no intruder logic

SPiM (Security Protocol interpolation Method)

Given a formal protocol specification, it combines

Craig interpolation,symbolic execution,standard Dolev-Yao intruder model

to search for goals (i.e., possible attacks on the protocol)

Interpolants: generated as a response to search failure inorder to prune possible useless traces and speed up exploration

The idea

The idea behind SPiM

Interpolation

Successfully applied in formal methods for model checkingand test-case generation for sequential programs

Security protocols

Unsuitable to the direct application of such methods:

• sequential programs only • no intruder logic

SPiM (Security Protocol interpolation Method)

Given a formal protocol specification, it combines

Craig interpolation,symbolic execution,standard Dolev-Yao intruder model

to search for goals (i.e., possible attacks on the protocol)

Interpolants: generated as a response to search failure inorder to prune possible useless traces and speed up exploration

Outline

1 The idea

4 Future work

General overview of SPiM

Verdict- True (No attack found)- Test Suite (Attack trace)

ASLan++Specification

+Goals

+Instantiation

IntruderActions

IntraLA(algorithm)

Output

ControlFlowGraph

Starts from a specification of security protocol and property, and ascenario

+Goals

+Instantiation

IntruderActions

IntraLA(algorithm)

Output

ControlFlowGraph

Creates and symbolically executes a sequential program (controlflow graph) searching for set of goals (i.e., attacks)

+Goals

+Instantiation

IntruderActions

IntraLA(algorithm)

Output

ControlFlowGraph

When a goal is reached

extracts attack trace (test case) from set of constraints producedin execution path

+Goals

+Instantiation

IntruderActions

IntraLA(algorithm)

Output

ControlFlowGraph

When search fails to reach a goal

starts backtrack phase, during which nodes of graph are annotated(a la McMillan) with formulas obtained by using Craig interpolation

Interpolants: generated as a response to search failure in order toprune possible useless traces and speed up exploration

SPiM Method description

Outline

1 The idea

4 Future work

+Goals

+Instantiation

IntruderActions

IntraLA(algorithm)

Output

ControlFlowGraph

An example

Needham-Schroeder Public Key (NSPK) protocol

A→ B : {NA,A}pk(B)

B → A : {NA,NB}pk(A)

A→ B : {NB}pk(B)

Man-in-the-middle attack

A→ i : {NA,A}pk(i)

i(A)→ B : {NA,A}pk(B)

B → i(A) : {NA,NB}pk(A)

i → A : {NA,NB}pk(A)

A→ i : {NB}pk(i)

i(A)→ B : {NB}pk(B)

An example

Needham-Schroeder with Lowe’s fix (NSL) protocol

A→ B : {NA,A}pk(B)

B → A : {NA,NB ,B}pk(A)

A→ B : {NB}pk(B)

Man-in-the-middle attack

Attack does not work anymore (other attacks do).

+Goals

+Instantiation

IntruderActions

IntraLA(algorithm)

Output

ControlFlowGraph

ASLan++ NSL Code example

Alice(Actor,B:agent){

Na:=fresh(); Actor->B:{Actor.Na}_pk(B); B->Actor:{Na.?Nb.B}_pk(Actor); Actor->B:{Nb}_pk(B);

Bob(Actor,A:agent){

?->Actor:{?A.?Na}_pk(Actor); Nb:=fresh(); Actor->A:{Na.Nb.B}_pk(A); A->Actor:{Nb}_pk(Actor);

Instantiation:

Alice Bob(1) a i(2) i b

Goal:Bob authenticates Alice-------------------------------

The AVANTSSAR Platform

Vulnerability

: Policy: Tool input/output

: Trust and SecurityTS: Composed ServiceCS: Composed PolicyCP: ServiceS

insecu

Policy

Composed service/policy

Secured service/policy

TS Wrapper

secure

Services

feedback

BPMN + Annotations

HLPSL++

CONNECTOR

ASLan++

orchestration/composition

validationproblem

TS VALIDATORTS ORCHESTRATOR

Specification of the available services (new) Service specified

ASLan ASLan

TS Wrapper

The AVANTSSAR Validation Platform

The SPaCIoS Tool

Model of the SUV

Abstract execution trace

Test case

The SPaCIoS Tool

Test Execution Engine

VulnerabilitiesAttack PatternsSecurity Goals

Attacker Models

User Interface

Model of theSUV

Securitygoals

Userguidance

SecurityAnalyst

Model inference and adjustment

Property-driven and vulnerability-driven

test case generation

Libraries

Model ofthe attacker

Faultlocation

SUVsource

Sourcebased

inference

Trace-driven faultlocalization

Control Flow Graph and Intruder Actions

+Goals

+Instantiation

IntruderActions

IntraLA(algorithm)

Output

ControlFlowGraph

IntraLA algorithm designed for sequential programs(K. McMillan. Lazy annotation for program testing and verification. CAV’10)

To apply (a modified version of) IntraLA to security protocols,we define a translation of a specification of a protocol P for agiven scenario into a sequential non-deterministic program

From parallel to sequential

Alice := a,Bob := i

1.1) Alice.Actor := a;

1.2) Alice.B := Y_1;

1.3) IK := {a,b,i,pk_a,pk_b,pk_i,pk_i^-1};1.4)

1.5) Alice.Na := c_1;

1.6) IK := IK + {Alice.Na,Alice.Actor}_pk(Alice.B);1.7)

1.8) if (IK |- {Alice.Na,?Alice.Nb,Alice.B}_pk(Alice.Actor))1.9) then

1.10) Alice.Nb = Y_2;

1.11) else

1.12) end

1.14) IK := IK + {Alice.Nb}_pk(Alice.B);

Bob(Actor,A:agent){

From parallel to sequential

Alice := i ,Bob := b2.1) Bob.Actor := b;

2.4) if (IK |- {?Bob.Na,?Bob.A}_pk(Bob.Actor))2.5) then

2.6) Bob.Na = Y_1;

2.7) Bob.A = Y_2;

2.8) else

2.9) end

2.11) Bob.Nb := c_1;

2.12) IK := IK + {Bob.Na,Bob.Nb,Bob.Actor}_pk(Bob.A);2.13)

2.14) if (IK |- {Bob.Nb}_pk(Bob.Actor))2.15) then

2.16) do nothing

2.17) else

2.18) end

Bob(Actor,A:agent){

Control Flow Graph - NSL

Combining sessions

Input variables Xi to switch betweensessions

1.1) Alice.Actor := a;

1.2) Alice.B := Y_1;

1.5) Alice.Na := c_1;

1.6) IK := IK + {Alice.Na,Alice.Actor}_pk(Alice.B);1.7)

1.8) if (IK |-

{Alice.Na,?Alice.Nb,Alice.B}_pk(Alice.Actor))1.9) then

1.10) Alice.Nb = Y_2;

1.11) else

1.12) end

1.14) IK := IK + {Alice.Nb}_pk(Alice.B);

1.1-32.1-2

[X1=2]

[Xi = k]

stands for the Intruder's choice

prove(Bob2.A = i)

[X1=1]

1.8-14

2.4-12

[X2=1] [X

2.14-18 2.14-18

1.8-14

prove(Bob2.A = i)

Correctness of the translation

Summing up

Each ASLan++ statement is translated into a fragment of code in a pseudoprogramming language (SiL).

The session interleaving is simulated in SiL by using conditionals with respect toinput parameters.

A (quite standard) notion of equivalence between ASLan++ and SiL states isdefined.

Equivalence Theorem

The original ASLan++ specification and its translation into SiL are “equivalent”.

Proof By standard bisimulation techniques. In particular, we show that for eachsequence of steps in ASLan++, there exists a path in the control flow graph of its SiLtranslation that passes through equivalent states.

Corollary

An attack state is found in an ASLan++ specification iff a goal location is reachablein its SiL translation.

IntraLA algorithm

+Goals

+Instantiation

IntruderActions

IntraLA(algorithm)

Output

ControlFlowGraph

Modified IntraLA algorithm executes symbolically a program graphsearching for goal locations (attacks)

If we fail to reach a goal, an annotation (condition underwhich no goal can be reached) produced by Craig interpolationAnnotation (backtrack) propagated to other nodes to block alater phase of symbolic execution along an uninteresting run(that will not reach goal)

IntraLA [McMillan, CAV2010]

Init {l0,s0}, A0, G0

q = (l1, s1) ∈ Qe = (l1, a, l2) ∈ ∆

Decide Q, A, GQ + (l2,s2), A, G

¬B(q, A(e))

s2 ∈ SI (a)(s1)¬B((l2, s2), A(l2))

q = (l1, s1) ∈ Q

Learn Q, A, GQ, A + e: φ, G

e = (l1, a, l2) ∈ ∆B(q, φ)J(e : φ, A)

q = (l, s) ∈ Q

Conjoin Q, A, GQ − q, A + l : φ, G − l

¬B(q, A(l))

∀e ∈ Out(l), e : φe ∈ A ∧ B(q, φe )φ = ∧{φe | e ∈ Out(l)}

Decide: symbolically executes one program action andgenerates a new query (keeps track of which symbolic statesstill need to be considered) from an existing oneLearn used to generate annotations in backtrack phaseConjoin used to backtrack and merge annotations comingfrom different branches

Interpolants as annotations

Craig’s Interpolation

In FOL, if α ∧ β is inconsistent, then there exists ı s.t.

α implies ı

ı implies ¬βL(ı) ∈ L(α) ∩ L(β)

exec1 → î î → ¬ goal

Execution 1

An example

After an “unsuccessful” execution 1, we calculate an interpolant ıas a condition that prevents us to reach the goal, and annotatethe location n with it.

exec1 → î î → ¬ goal

2Execution 1

exec2 ?→ î

An example

If execution 2 reaches in the same location a state where ı isimplied, then we can ignore that path (as we know that no goalwill ever be reached).

Craig’s Interpolation

In FOL, if α ∧ β is inconsistent, then there exists ı s.t.

α implies ı

ı implies ¬βL(ı) ∈ L(α) ∩ L(β)

We can define α and β as follows:

α = PC∧

v∈Varv = Env(v)

β = Sem(a) ∧ ¬ann′where:

PC is a conjunction of path constraints

Var is the set of program variables

Env is the environment

Sem(a) is the semantics (expressed as a transition formula) of the last action a

ann is the current annotation of the node

SPiM Example

Outline

1 The idea

4 Future work

SPiM Example

NSL example

1.1-32.1-2

[X1=2]

[Xi = k]

prove(Bob2.A = i)

[X1=1]

1.8-14

2.4-12

[X2=1] [X

2.14-18 2.14-18

1.8-14

prove(Bob2.A = i)

SPiM Example

NSL example

1.1-32.1-2

[X1=2]

[Xi = k]

PC {Bob⊇2.A = i}

prove(Bob2.A = i)

[X1=1]

1.8-14

2.4-12

[X2=1] [X

2.14-18 2.14-18

1.8-14

prove(Bob2.A = i)

SPiM Example

NSL example

Learn on (l6, g)

α⇒ ı⇒ ¬βı = {Bob2.A = i}

1.1-32.1-2

[X1=2]

[Xi = k]

î={Bob2.A = i}

prove(Bob2.A = i)

[X1=1]

1.8-14

2.4-12

[X2=1] [X

2.14-18 2.14-18

1.8-14

prove(Bob2.A = i)

SPiM Example

NSL example

Learn on (l5, l6)

α⇒ ı⇒ ¬βı = {Bob2.A = i} ∨ CV

CV ∈ L(Var)is a constraint

over Var s.t. CV entails

IK 6` {Bob2.Nb}pk{Bob2.Actor}

1.1-32.1-2

[X1=2]

[Xi = k]

î={Bob2.A = i}

prove(Bob2.A = i)

[X1=1]

1.8-14

2.4-12

[X2=1] [X

2.14-18î={Bob

2.A = i} \/ C

2.14-18

1.8-14

prove(Bob2.A = i)

SPiM Example

NSL example

1.1-32.1-2

[X1=2]

[Xi = k]

î={Bob2.A = i}

prove(Bob2.A = i)

[X1=1]

1.8-14

2.4-12

[X2=1] [X

2.14-18î={Bob

2.A = i} \/ C

2.14-18

1.8-14

prove(Bob2.A = i)

PC => î

SPiM Example

Verdict NSL

+Goals

+Instantiation

IntruderActions

IntraLA(algorithm)

Output

ControlFlowGraph

The instantiation of the obtained attack is:a → i : {c1, a}pk(i)

i(a) → b : {c1, a}pk(b)

b → i(a) : {c1, c2}pk(i(a))

i → a : {c1, c2}pk(a)

a → i : {c2}pk(i)

i(a) → b : {c2}pk(b)

SPiM Example

Verdict NSPK

Without Lowe’s fix we obtain a MITM attack:

Alice1.Actor → Alice1.B : {Alice1.Na,Alice1.Actor}pk(Alice1.B)

? → Bob2.Actor : {Bob2.Na,Bob2.A}pk(Bob2.Actor)

Bob2.Actor → Bob2.A : {Bob2.Na,Bob2.Nb}pk(Bob2.A)

Alice1.B → Alice1.Actor : {Alice1.Na,Alice1.Nb}pk(Alice1.Actor)

Alice1.Actor → Alice1.B : {Alice1.Nb}pk(Alice1.B)

Bob2.A → Bob2.Actor : {Bob2.Nb}pk(Bob2.Actor)

The instantiation of the obtained attack is:

a → i : {c1, a}pk(i)

i(a) → b : {c1, a}pk(b)

b → i(a) : {c1, c2}pk(i(a))

i → a : {c1, c2}pk(a)

a → i : {c2}pk(i)

i(a) → b : {c2}pk(b)

SPiM Example

Verdict NSPK

Without Lowe’s fix we obtain a MITM attack:

Alice1.Actor → Alice1.B : {Alice1.Na,Alice1.Actor}pk(Alice1.B)

? → Bob2.Actor : {Bob2.Na,Bob2.A}pk(Bob2.Actor)

Bob2.Actor → Bob2.A : {Bob2.Na,Bob2.Nb}pk(Bob2.A)

Alice1.B → Alice1.Actor : {Alice1.Na,Alice1.Nb}pk(Alice1.Actor)

Alice1.Actor → Alice1.B : {Alice1.Nb}pk(Alice1.B)

Bob2.A → Bob2.Actor : {Bob2.Nb}pk(Bob2.Actor)

a → i : {c1, a}pk(i)

i(a) → b : {c1, a}pk(b)

b → i(a) : {c1, c2}pk(i(a))

i → a : {c1, c2}pk(a)

a → i : {c2}pk(i)

i(a) → b : {c2}pk(b)

SPiM Example

Verdict NSPK

a → i : {c1, a}pk(i)

i(a) → b : {c1, a}pk(b)

b → i(a) : {c1, c2}pk(i(a))

i → a : {c1, c2}pk(a)

a → i : {c2}pk(i)

i(a) → b : {c2}pk(b)

That is the usual MITM attack on NSPK protocol:

A → i : {NA,A}pk(i)

i(A) → B : {NA,A}pk(B)

B → i(A) : {NA,Nb}pk(A)

i → A : {NA,NB}pk(A)

A → i : {NB}pk(i)

i(A) → B : {NB}pk(B)

SPiM Java prototype

Outline

1 The idea

4 Future work

SPiM Java prototype

Details

based on Z3 (sat check) and iZ3 (interpolant generation)

uses a modified version of IntraLA

Theories

IntraLA

Verdict

quantifierelimination

EUFASLan++

entity A{...}entity B{...}

transla

output

JavaJava

--SiL--

Translator Model-checker

SPiM Java prototype

Results

A comparison

In order to show the effectiveness of our interpolation-basedtechnique, we let the tool run in two different modalities on a fewcase studies:

1 IntraLA: annotation-driven symbolic execution;

2 Full-explore: standard symbolic execution (i.e., fullexploration of the graph).

Specification (sessions) IntraLA (# Decide+Learn) Full-explore (# Decide) attackNSL (ab,ab) 125m22s (327+218) 419m15s (587) noNSL (ai,ab) 3m15s (81+20) 4m4s (109) noNSPK (ab,ab) 54m13s (237+218) 131m53s (587) noNSPK (ai,ab) 1m49s (92+20) 1m55s (113) yesHelsinki (ab,ab) 224m21s (291+258) 549m38s (681) noYahalom (abs) 22m56s (31) 23m10s (31) no

Future work

Outline

1 The idea

4 Future work

Future work

Full implementation (and more case studies)

ASLan++ full coverage

More complex protocols and goals (LTL)

Test case generation and integration in testing phase

Future work

Thank you

Future work

Inference rules for a Dolev-Yao intruder

M ∈ IK

M ∈ DY(IK)Gaxiom

M1 ∈ DY(IK) M2 ∈ DY(IK)

[M1,M2] ∈ DY(IK)Gpair

[M1,M2] ∈ DY(IK)

Mi ∈ DY(IK)Apairi

M1 ∈ DY(IK) M2 ∈ DY(IK)

{M1}M2∈ DY(IK)

Gcrypt

{M1}M2∈ DY(IK) inv(M2) ∈ DY(IK)

M1 ∈ DY(IK)Acrypt

{M1}inv(M2) ∈ DY(IK) M2 ∈ DY(IK)

M1 ∈ DY(IK)A−1crypt

We convert such a deduction system into a formula (over a finitenumber of inference steps) and use Z3/iZ3 for performing symbolicexecution and calculating annotations.

Future work

How we model Dolev-Yao intruder inference

ϕj = ∀M. (DY j+1IK (M) ↔ (DY j

IK (M)

∨ (∃M′.DY jIK ([M,M′]) ∨ DY j

IK ([M′,M]))

∨ (∃M1,M2.M = [M1,M2] ∧ DY jIK (M1) ∧ DY j

IK (M2))

∨ (∃M1,M2.M = {M1}M2∧ DY j

IK (M1) ∧ DY jIK (M2)))

∨ (∃M′.DY jIK ({M}M′ ) ∧ DY j

IK (inv(M′)))

∨ (∃M′.DY jIK ({M}inv(M′)) ∧ DY j

IK (M′))

using interpolation for the verification of security protocols · marco rocchetto, luca vigan o,...

Documents

vigan philippines

compiled by ann volpe gallentine

social media marketing technologies presented by dorothéa...

mike volpe presentation

mike volpe - social media giant

casa della volpe

wodp blr and regional beneficiaries trainings and … ·...

volpe planning study · 2017-10-11 · volpe planning study...

luca vigano` marco volpe arxiv:0803.3187v2 [cs.lo] 25 mar...

giuseppe volpe | portfolio 2014

eminari s internazionali del centro interuniversitario per...

for more information contact - vigan · 2011. 11. 3. · as...

volpe expo paper 2006 - docsis

volpe library marketing plan

volpe briefing for aski v3

observation volpe 7 codes

triste gorrión - memorias de robert le vigan

fact sheet_cala di volpe

rita volpe highlights - hsdl

community meetings - volpe redevelopment project | … 1....